A group of researchers from Amsterdam Free University revealed the new attack method “NATIVE BHI” (CVE-2024-2201), which allows on systems with Intel processors to determine the content of the Linux nucleus when performing an exploit in the user’s space. In the case of application attacks to virtualization systems, an attacking from the guest system can determine the contents of memory Host-anguation or other guest systems.
NATIVE BHI method offers a different technique for the vulnerability of BHI (Branch History Injection, CVE-2022-0001), which bypasses previously implemented protection methods. The BHI attack method proposed in 2022 implied the operation of the vulnerability in the CPU as part of one level of privileges, for which exploit was based on the execution of an EBPF program loaded with the user in the nucleus. To block the BHI attack method, it was enough to limit access to the EBPF code for ordinary users.
The new NATIVE BHI method does not require access to EBPF and allows you to attack the user with a user space. The method is based on the execution of the nucleus of gadgets existing in the code – sequences of commands leading to speculative implementation of instructions. To search for suitable gadgets, special tools were developed instecter gadget, which is analyzing the kernel 6.6-RC4 revealed 1511 Spectre gadgets and 2105 auxiliary gadgets of dispatch.
Based on the found gadgets, the researchers have prepared an exploit, which makes it possible to extract a line from the nucleus buffers with a Hash password Root, loaded from the /etc /